Employers Must Consider Social Media Risks

It should be no surprise that the use of social media creates risks – legal and financial risks related to privacy and data security issues are among the most examined concerns.

But the use of social media also may create risks that can’t be valued by a dollar sign – risks to human life and safety.

A recent security incident involving the children of Michael Dell (the founder and CEO of Dell, Inc.) highlights this issue. As reported by Bloomberg Businessweek and the Huffington Post, Dell’s teenage daughter is (unsurprisingly) active on social media networks, such as Twitter and Instagram.

Dell’s daughter reportedly posted information that could reveal the physical location of Mr. Dell, who reportedly pays $2.7 million annually on security for his family. Such information gleaned from social media could prove invaluable to kidnappers or other criminals. And millions spent on security could be counteracted by a single tweet.

The risks to physical safety are not limited to executives, but apply to all of a company’s employees. Data about a person’s physical location is generally considered to be sensitive personal information. Individuals should make a conscious choice whether to share such information, although some individuals should probably never share this information (such as an executive who pays millions on personal security).

Individuals should also be aware that location information can be revealed inadvertently: a recent “social experiment” demonstrates that an individual’s home address can reasonably be determined by identifying the individual’s Twitter posts that contain location data referring to “home.” Even seemingly innocuous apps that reveal information about one’s travel plans have the capability to reveal sensitive location information, perhaps in combination with other public information.

Such risks of inadvertent disclosure or over-sharing may also arise from a family member or friend, who may often accompany an employee. Even if the family members are not connected on a social network, or if their connections aren’t visible publicly, these risks persist because the identity of one’s family members may be public knowledge.

Indeed, criminals or other bad actors may seek to connect to or follow family members online in the hope of gleaning important information about the executive. For instance, burglars are known to have used social media to help determine which homes to rob. Aside from the potential physical danger involved with a robbery, helping an employee reduce the risk of a home burglary may help a company prevent a data breach.

Employees and their families may be aware that they should not share information publicly, but only with their friends; however, even sharing with friends can pose risks. First, privacy settings are subject to technological glitches, where privacy settings may prove to be ineffective, at least temporarily. More importantly, bad actors may be able to sidestep such settings.

One should assume that any information purportedly protected by privacy settings could still be viewed by strangers. Second, it is difficult if not impossible to authenticate all “friends” on a social network – they may be impersonators of the real-life person, looking to scrape sensitive information from the ”private” online posts.

This second point is an important consideration for all users of social media. Security researchers on one social network have demonstrated that an individual can claim to be an employee of a large company and quickly make online connections to other people at that company, thereby appearing to be as credible as an employee of that company. Therefore, for example, if an employee who is known to frequently travel with an executive posts travel details that include or suggest physical location, that information may also be visible to strangers or imposters.

How can a company address these risks? Social media policies are a good starting place for establishing the acceptable boundaries for employees’ use of social media. All organizations should have such a policy and review it periodically to address new technological developments and legal requirements in this rapidly-developing space.

One of the key limitations of social media policies, however, is the expansive view of employees’ rights to discuss their employment that the National Labor Relations Board has articulated in its enforcement actions and reports, starting in the fall of 2010.

Accordingly, simply having a policy doesn’t go far enough – employee training on risks to employees and employers that over-sharing may raise is key to mitigating these risks. Companies may also wish to ensure that executive security staff is also up-to-date on social media risks, consistent with the Michael Dell incident.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.